Lawyers agree the law is not a robust privacy law
Bill 88, the Ontario legislation that became law in April and requires employers to tell employees if, how and in what circumstances they are being monitored electronically is, in many ways, but a shadow of what many imagine it to be.
“The driving focus for the government was transparency in the sense of ensuring that employees know what employers are doing,” says Andy Pushalik, the Toronto-based national lead of Dentons Canada LLP’s labour and employment group. “But it is not a robust privacy law.”
That’s certainly the view of Patricia Kosseim, Ontario’s Information and Privacy Commissioner. In an April op-ed, she called the legislation a “laudable first step” that “doesn’t go far enough” from a privacy perspective.
David Young, privacy and regulatory counsel at David Young Law in Ottawa, agrees. He points out that only Alberta and British Columbia among Canada’s common law provinces have sophisticated privacy laws.
“In provinces that do not have privacy laws, there’s no requirement that what’s collected is reasonable, so employers seem free to collect anything under the sun. In Ontario, Bill 88 doesn’t change that: it merely requires employers to give notice of what they’re collecting and how they collect it, whether collecting a particular type of information is reasonable or not.”
By contrast, while privacy legislation in Alberta and BC is consent-based, there’s an exception where what management collects is reasonable and gives employees appropriate notice.
“This requirement of reasonableness should be in every privacy law,” Young says. “As it turns out, Ontario’s white paper on privacy law suggests that it will indeed be included in forthcoming legislation.”
Meanwhile, Bill 88 doesn’t even provide a mechanism for dealing with employees’ objections.
“In fact, the guidelines for Bill 88 suggest that employers have no obligation to restrict their monitoring in the face of an objection, so long as they have been sufficiently transparent about it,” Pereira says.
However that may be, it’s arguable that Bill 88 doesn’t even go far enough from a transparency perspective: the law, for example, fails to define “electronic monitoring,” which may leave important questions unanswered.
“Absent a definition, Bill 88 would seem to cover all forms of monitoring done by electronic means,” says Pushalik’s colleague Janice Pereira. “It doesn’t answer questions about things like passive monitoring, where the employer’s software collects information, but the employer never looks at it.”
While the government has issued guidelines that discuss what electronic monitoring embraces, they’re not particularly helpful.
“Basically, the guidelines say that anything performed on electronic equipment is electronic monitoring, which is a bit circular and in effect includes everything,” Young says. “A definition would be more desirable.”
Most of Dentons’ clients, Pereira points out, can monitor employees by way of software that management has no idea even exists.
“Many will have to speak to their IT departments to find out what’s going on.”
And when it comes to developing policies that conform with Bill 88, just speaking to IT may not be enough.
“When seeking practical advice, employers may have to look to a few different departments, including IT and human resources,” Pushalik says.
That said, companies need to be cautious in disclosing how they undertake electronic monitoring disclosure.
“Employers should strike a balance between transparency and providing so much information about how the monitoring software works that employees can circumvent the process,” Pereira says.
By way of example, Pereira cites automated software that screens company email accounts to safeguard confidential and proprietary information.
“The company would likely need to disclose that it utilizes such software, but disclosing how the algorithm works – perhaps by screening for email addresses containing a competitor’s name – may enable employees to circumvent the process by sending the information to a personal email account rather than an address that identifies the competitor.”
Pushalik also recommends that employers disclose why they’re engaged in a particular form of electronic monitoring.
“People like to know why management is doing things. For example, an employer might explain that monitoring is necessary because cybersecurity prevention to protect confidential information as well as employee and client data is becoming increasingly expensive as the integrity of computer systems becomes more and more vulnerable to sophisticated hackers.”